From 882830d64263745d22aafff80929adf555e01bf8 Mon Sep 17 00:00:00 2001 From: Dave Sugar Date: Mon, 22 Jan 2024 10:50:09 -0500 Subject: [PATCH] Resolve error when cockpit initiate shutdown node=localhost type=AVC msg=audit(1705937785.855:1258): avc: denied { create } for pid=1741 comm="systemd-logind" name=".#scheduleddAhZqh" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1705937817.548:1268): avc: denied { create } for pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1268): avc: denied { read write open } for pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1269): avc: denied { setattr } for pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1270): avc: denied { getattr } for pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1271): avc: denied { rename } for pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.549:1272): avc: denied { write } for pid=1741 comm="systemd-logind" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705937817.549:1272): avc: denied { add_name } for pid=1741 comm="systemd-logind" name=".#nologin0EGTLr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705937817.549:1273): avc: denied { remove_name } for pid=1741 comm="systemd-logind" name=".#nologin3EGTLr" dev="tmpfs" ino=1804 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar --- policy/modules/services/cockpit.if | 3 ++- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index 7a002b3e5b..4c452484ca 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -64,9 +64,10 @@ template(`cockpit_role_template',` cockpit_use_ws_fds($2) cockpit_rw_ws_stream_sockets($2) - init_watch_runtime_dirs($2) init_watch_utmp($2) + systemd_watch_logind_runtime_dirs($2) + userdom_dontaudit_execute_user_tmpfs_files($2) ') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 01794c5f0c..fb14f63730 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -105,6 +105,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) +/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) /run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0) /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 1271fd1e87..f7c2245d22 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -901,11 +901,13 @@ dev_setattr_video_dev(systemd_logind_t) domain_obj_id_change_exemption(systemd_logind_t) +files_check_write_runtime_dirs(systemd_logind_t) files_read_etc_runtime_files(systemd_logind_t) files_search_runtime(systemd_logind_t) # Getattr all shm segments as part of cleaning up the # segments of deleted ephemeral users. files_getattr_all_tmpfs_files(systemd_logind_t) +files_rw_runtime_dirs(systemd_logind_t) fs_getattr_cgroup(systemd_logind_t) fs_getattr_tmpfs(systemd_logind_t)